In today's digital world, cybersecurity is more than just a tech issue - it's a business imperative. With cyberattacks on the rise, it's no longer enough to have just a firewall and antivirus software. The weakest link in any security chain is often the human element, which is why cybersecurity awareness training for employees is crucial.

In the Sri Lankan cyber security context we find that there are lax protocols around data security and access which can lead to breaches easily. Given that the market is fairly small any cyber attack can result in high reputational and financial damages to any brand. It is therefore critical that companies take cybersecurity awareness training for staff seriously in all types of Sri Lankan firms and especially those accountable to numerous local and foreign stakeholders. 

Some alarming stats of UK cyber attacks indicate how dire the situation is even in developed nations:

These statistics paint a clear picture: businesses are failing to prioritize cybersecurity training, leaving their employees vulnerable and their data at risk. The lesson is also quite clear given this!

Building a culture of cybersecurity:

Creating a culture of cybersecurity at Sri Lankan firms goes beyond one-time training sessions. It's about fostering an environment where security is everyone's responsibility. Here are some key takeaways on building a cyber secure culture:

Remember, cybersecurity is not just an IT issue, it's a business issue. By investing in employee training and building a culture of security, Sri Lankan firms can significantly reduce their risk of cyberattacks and protect their valuable data assets.Getting started on your cyber secure journey is easy. Cybersafe can provide cybersecurity awareness training for your board, middle management or staff to commence your cybersecure journey. Please contact us at Cybersafe by filling out the contact form.

Reference: How to improve cyber resilience across your workforce

Here are some things that small to medium sized companies in Sri Lanka who have little experience in cybersecurity can do to start becoming more cyber safe:

  1. Educate yourself and your employees. The first step is to learn more about cybersecurity and the threats that your company faces. There are many resources available online and from government agencies, however look at what applies to your business context. You should also train your employees on cybersecurity best practices, such as creating strong passwords, avoiding phishing attacks, and reporting suspicious activity to the right people.
  2. Conduct a risk assessment. This will help you to identify your company's most valuable assets and the biggest threats to those assets. Once you have identified your risks, you can develop a plan to reduce them.
  3. Implement basic security measures. There are a number of basic security measures that all companies should implement, such as:
    • Using a firewall to protect your network from unauthorized access.
    • Installing antivirus and antimalware software on all computers and devices.
    • Keeping your software up to date with the latest security patches.
    • Using strong passwords and multi-factor authentication for all accounts.
    • Backing up your data regularly.
  4. Consider hiring a cybersecurity consultant or MSP. If you have the resources, hiring a cybersecurity consultant or managed service provider is a great and fast way to get help with your cybersecurity needs. They can help you to develop a security policy and plan, train your staff, help implement security measures, and even monitor your network for threats via tools.

Here are some additional tips for small businesses with no experience in cybersecurity:

By following these tips, small businesses can start to become more secure and protect themselves from cyber threats.

As specialists in helping firms of all sizes become familiar and adopt cybersecurity best practices Cybersafe is able to help should you require assistance. We can provide cybersecurity awareness training for your board, middle management or staff to commence your cybersecure journey. Please contact us at Cybersafe by filling out the contact form.

  1. Introduction: 

In an era marked by our growing reliance on technology, the significance of Cybersecurity and Online Safety cannot be emphasized enough. As we navigate the digital landscape, the potential risks and threats associated with cyber attacks loom ever larger. These threats can manifest in various forms, ranging from the theft of sensitive information to financial losses and, in the worst cases, disruption to critical infrastructure.

The introduction of the Cybersecurity Act and the Online Safety Act No. of 2023 in Sri Lanka underlines the nation's commitment to addressing these evolving challenges comprehensively. These legislative measures create a structured and strategic approach to Cybersecurity and Online Safety, establishing institutions such as the Cybersecurity Regulatory Authority and the Online Safety Commission to protect the interests of all Sri Lankans in the digital realm. Through these initiatives, the government aims to safeguard critical national information infrastructure, assess security risks, and enhance public awareness. This proactive stance is essential to ensure a secure and resilient cyber space for the benefit and safety of all citizens in the Democratic Socialist Republic of Sri Lanka.

  1. Establishment of the Cybersecurity Regulatory Authority of Sri Lanka

The Cybersecurity Regulatory Authority of Sri Lanka is established under the Cybersecurity Act, No. of 2023. The Act provides for the establishment of the Authority as the apex institution responsible for all matters relating to civilian aspects of cybersecurity. The Authority is responsible for ensuring the effective implementation of the national information and Cybersecurity strategies, and Cybersecurity policies as approved by the Cabinet of Ministers. It is also responsible for identifying and designating critical national information infrastructure, conducting security risk assessments, audits and vulnerability assessments of such infrastructure, and ensuring compliance with the procedures and timelines specified by rules made by the Authority. The Authority is governed by a Board of Directors appointed by the Minister in charge of the subject of Digital Infrastructure and Information Technology, and the Board is responsible for the management and administration of the affairs of the Authority.

  1. Cybersecurity: Definition and Scope

Cybersecurity, at its core, entails a broad range of practices and measures focused on safeguarding computer systems, networks, and sensitive data from unauthorized access, theft, and damage. Importantly, its scope extends beyond individual devices to encompass the protection of a nation's information infrastructure. The Act defines cybersecurity as the safeguarding of information during its transit, processing, and storage against various forms of cyber threats. This includes activities intended to secure cyberspace and applies to all computer systems, programs, related devices, critical infrastructure, cybersecurity service providers, and civilian aspects of cybersecurity within the public and private sectors.

  1. Background: Understanding the Current Landscape

As the world becomes increasingly reliant on digital technology, the importance of cyber-security in Sri Lanka cannot be overstated. The country has made significant progress in this field in recent years, with various stakeholders, including government entities, businesses, and individuals, working together to mitigate cyber threats. Here's an overview of the current cybersecurity landscape in Sri Lanka:

  1. Government Initiatives and Regulations:
  1. Regulatory Bodies:
  1. Legal Framework:

Key Milestones in Sri Lanka's Cybersecurity Journey

The SLCERT was established as the national agency responsible for coordinating responses to cybersecurity incidents. This marked the first concrete step towards addressing cyber threats in Sri Lanka.

Sri Lanka introduced the Computer Crimes Act, making it a criminal offense to engage in cybercrimes such as unauthorized access to computer systems, data interference, and electronic fraud.

In 2013, Sri Lanka launched its National Cybersecurity Strategy, which aimed to provide a comprehensive approach to cybersecurity. This strategy laid the foundation for future developments in the field.

Building upon the work of SLCERT, Sri Lanka established the Sri Lanka Computer Emergency Readiness Team Coordination Center (CERT|CC) to enhance its capabilities in responding to and preventing cyber threats.

The Personal Data Protection Act was enacted, providing legal provisions for the protection of personal data. This was a significant step in aligning Sri Lanka's data protection laws with international standards.

Sri Lanka unveiled its National Cybersecurity Policy, which focuses on critical areas such as risk management, international cooperation, and the development of a skilled cybersecurity workforce.

The Cyber Resilience and Cybersecurity Bill was introduced in Parliament, further strengthening the legal framework for cybersecurity. It addressed areas like critical information infrastructure protection and international cooperation in dealing with cyber threats.

5. The main objectives of the Cybersecurity Act & Online Safety Act of Sri Lanka

(1). To establish the Cybersecurity Regulatory Authority of Sri Lanka as the apex institution responsible for all matters relating to civilian aspects of cybersecurity. 

(2). To ensure the effective implementation of the national information and cybersecurity strategies, and cybersecurity policies as approved by the Cabinet of Ministers. 

The Act also provides for the protection of critical national information infrastructure in order to address the cybersecurity threats challenging Sri Lanka, and to provide for matters connected therewith or incidental thereto. 

(a) to protect persons against damage caused by communication of false statements or threatening, alarming, or distressing statements; 

(b) to ensure protection from communication of statements in contempt of court or prejudicial to the maintenance of the authority and impartiality of the judiciary; 

(c) to introduce measures to detect, prevent and safeguard against the misuses of online accounts and bots to commit offenses under this Act; and 

(d) to prevent the financing, promotion, and other support of online locations that repeatedly communicate false statements of fact in Sri Lanka. 

Therefore, the main objectives of the Online Safety Act of Sri Lanka are to protect individuals from harmful statements, ensure the protection of the judiciary, prevent the misuse of online accounts and bots, and prevent the financing and promotion of online locations that repeatedly communicate false statements of fact.

6. Powers, duties and functions of the Authority

The Cybersecurity Regulatory Authority of Sri Lanka has several powers, duties, and functions as outlined in the Cybersecurity Act, No. of 2023. These include: 

  1. Identifying and designating critical national information infrastructure. 
  2. Conducting security risk assessments, audits, and vulnerability assessments of such infrastructure. 
  3. Ensuring compliance with the procedures and timelines specified by rules made by the Authority. 
  4. Conducting and managing cybersecurity services for government institutions and other relevant sectors on request.
  5. Imposing charges and levies as shall be prescribed by regulations for any service rendered by the Authority. 
  6. Entering into agreements with or engaging in any activity, either alone or in conjunction with local or international organizations for the purposes of this Act. 
  7. Representing Sri Lanka internationally in matters relating to cybersecurity in accordance with the government procedures. 
  8. Facilitating the domestic implementation of international legal obligations to which Sri Lanka is a party, in order to ensure the effective implementation of cybersecurity strategies and cybersecurity policies. 
  9. Promoting awareness among citizens and in relevant sectors regarding the risks in cyberspace.
  10. Engaging in capacity building to protect the identity, privacy, and economic assets in cyberspace. 

These powers, duties, and functions are exercised, discharged, and performed by a Board of Directors appointed by the Minister in charge of the subject of Digital Infrastructure and Information Technology.

The powers, duties, and functions of the Online Safety Commission.

  1. To issue directives to persons, service providers or internet intermediaries, who have published or communicated or whose service has been used to communicate any prohibited statement, requiring them to provide to persons who have been adversely affected by any prohibited statement, an opportunity of responding to such prohibited statement; 
  2. To issue notices to persons who communicate false statements that constitute offenses under this Act, to stop the communication of such statements; 
  3. To issue directives to persons who communicate prohibited statements under this Act, to stop the communication of any such statements; 
  4. To issue notices to any internet access service providers or internet intermediary to disable access to an online location which contains a prohibited statement by the end-users in Sri Lanka or to remove such prohibited statement from such online location; 
  5. To refer to the appropriate court for its consideration any communications that may be in contempt of court or prejudicial to the maintenance of the authority and impartiality of the judiciary, and to provide such assistance as may be required from any court in respect of any matter so referred to such court; 
  6. To make recommendations to service providers, internet intermediaries, and internet access service providers to remove prohibited statements; 
  7. To maintain an online portal containing information to enlighten the public of the falsity of any statement; 
  8. To specify declared online locations in terms of the provisions of this Act, and make recommendations to disable access to the information disseminated through such online location; 
  9. To carry out such investigations and provide such services upon being directed by any court; 
  10. To issue codes of practice by way of rules for service providers and internet intermediaries who provide internet-based communication services to the end-users in Sri Lanka; 
  11. To register, in such a manner as may be specified by rules made under this Act, the websites providing social media platforms to the end-users in Sri Lanka; 
  12. To consult, to the extent the Commission considers appropriate, any person or group of persons who or which may be affected, or likely to be affected, in the discharge of its powers and functions; 
  13. To advise the Government, as the Commission deems appropriate, on all matters concerning online safety in Sri Lanka, within the purview of this Act. 

Therefore, the Online Safety Commission has a wide range of powers and functions, including issuing directives and notices, making recommendations, maintaining an online portal,

7. Development of Cybersecurity Infrastructure

In addition to legislative measures, Sri Lanka has also developed its cybersecurity infrastructure. The following developments showcase the country's commitment to cybersecurity:

8. Regional Differences: Examining the Variations in Cybersecurity and Online Safety Across Different Regions

Sri Lanka, like many other countries, is not homogeneous in its approach to cybersecurity and online safety. Different regions within the country exhibit variations in their readiness to counter cyber threats and protect individuals and organizations in the digital landscape. This  delves into the regional differences in cybersecurity and online safety across Sri Lanka.

Western Province

As the economic and technological hub of Sri Lanka, the Western Province, which includes the capital city, Colombo, and its surrounding areas, is the most advanced region in terms of cybersecurity and online safety. Key characteristics include:

Central Province

The Central Province, home to the city of Kandy, demonstrates varying levels of cybersecurity readiness. Key characteristics include:

Southern Province

The Southern Province, known for its beaches and tourism, presents a mixed picture of cybersecurity and online safety. Key characteristics include:

Northern and Eastern Provinces

The Northern and Eastern Provinces, which are recovering from the effects of the civil conflict, face unique challenges in terms of cybersecurity and online safety. Key characteristics include:

9. Challenges and Future Prospects

Sri Lanka's regional differences in cybersecurity and online safety reflect varying levels of development, access to resources, and awareness. To address these disparities, it is essential for the government and relevant stakeholders to consider regional contexts and tailor cybersecurity initiatives accordingly.

  1. The Imperative of Cyber Awareness:

In the modern digital age, where technology permeates every aspect of our lives, cybersecurity awareness is paramount, especially in a country like Sri Lanka. Cybersecurity awareness serves as the foundational pillar for ensuring online safety and protecting individuals, businesses, and the nation's critical infrastructure. Here are some key reasons why cybersecurity awareness is of utmost importance in Sri Lanka:

As technology advances, cyber threats become increasingly sophisticated and diverse. Cybersecurity awareness is crucial in preparing the population to identify and mitigate emerging threats, helping to safeguard against potential future attacks.

Cybersecurity is critical to national security, and Sri Lanka's strategic position in the Indian Ocean region makes it an attractive target. Cybersecurity awareness is essential to protect the nation from geopolitical cyber threats.

Sri Lanka's critical infrastructure, such as power grids, transportation systems, and healthcare facilities, is reliant on digital technology. Cybersecurity awareness is crucial to prevent cyberattacks on these essential services, which can have severe consequences for the nation.

As more personal data is shared online, individuals must be aware of the importance of data privacy and their own personal security. Awareness campaigns can empower people to protect their sensitive information.

By demonstrating a commitment to cybersecurity awareness, Sri Lanka can foster international collaboration, participate in global cybersecurity initiatives, and gain access to shared threat intelligence and best practices.

  1. Empowering Cybersecurity Awareness and Digital Inclusivity: 

A Forward-Looking Agenda for Sri Lanka.

In the coming years, Sri Lanka has the opportunity to take its cybersecurity awareness efforts to the next level and ensure a more uniform and comprehensive approach to cybersecurity and online safety. 

By focusing on infrastructure development, education, and government support tailored to the needs of different regions, Sri Lanka can ensure that cybersecurity awareness and online safety efforts are accessible and effective across the entire country. This approach will empower all citizens and businesses to protect themselves in the digital age, bridging the digital divide and promoting digital resilience throughout the nation.

10. Conclusion: Assessing Sri Lanka's Progress in Cybersecurity and Online Safety

Sri Lanka's steadfast commitment to cybersecurity and online safety is exemplified by both the Cybersecurity Act of 2023 and the Online Safety Act of 2023. The creation of the Cybersecurity Regulatory Authority and the establishment of the Online Safety Commission, along with stringent legal provisions and educational initiatives, signify significant leaps toward a more secure digital environment. As the nation continues to evolve its approach to cybersecurity, its ability to effectively navigate and mitigate new challenges will be paramount in ensuring online safety for all citizens and securing critical national information infrastructure. Sri Lanka's progress in these domains reflects its unwavering dedication to creating a safer and more secure digital future for all.


  1. Cybersecurity Bill Sri Lanka 13-07-2023
  1. Online Safety Bill Sri Lanka 15-09-2023
  1. Online Safety Bill, LinkedIn Article by Mr. Asela Waidyalankara
  1. Cyber Security Bill of Sri Lanka, LinkedIn Article by Mr. Asela Waidyalankara
  1. News Article - The Morning
  1. News Article - The Morning
  1. LinkedIn Article by Mr. Asela Waidyalankara

The primary legislation in Sri Lanka pertaining to the protection of personal data is the Personal Data Protection Act (PDPA). The PDPA aims to secure individual rights and guarantee consumer confidence about information privacy in online transactions and information networks arising from the digital economy's expansion and innovation in Sri Lanka.

Establishment of the PDPA: A Timeline

The Attorney General (AG) examined the PDPA draft bill for constitutional conformity after it was made public via the website of the Ministry of Digital Infrastructure and Information Technology (MDIIT). Following repeated conversations between the Legal Drafting Department ('LDD') and the Drafting Committee, the LDD produced an updated version of the Drafting Committee's response to the AG's criticisms. 

Following approval from the Attorney General, the bill authorized by the Cabinet of Ministers was published in the Gazette Supplementary.

The AG published these observations following their second examination of the amended version.

The Parliament passed the draft law after making several changes. 

The Speaker of Parliament approved the draft law on March 19, 2022, and the PDPA went into effect that same day.

1 December 2023 as the date on which Part VI, VIII, IX and X come into operation

18 March 2025 as the date on which Part I, II, II & VII shall come into operation

Entities involved in the preparation of PDPA

The government has prioritized PDPA legislation through the Ministry of Technology. The Telecom Regulatory Commission of Sri Lanka (TRCSL), the Securities Exchange Commission (SEC), the Central Bank of Sri Lanka, which assisted in the process's inception, as well as the ICT Agency, Sri Lanka CERT, the Ministry of Technology, and trade chambers like the Ceylon Chamber of Commerce, were working together on this PDPA's implementation aspects.

The PDPA promotes global best practices, which are drawn from documents like the OECD Privacy Guidelines, the APEC Privacy Framework, the EU General Data Protection Regulation (GDPR), the Council of Europe Data Protection Convention (Convention 108+), and laws passed in other countries like the UK, Singapore, Australia, and Mauritius, the State of California, as well as the previous data protection bill in India.

A collaborative public-private sector expert drafting team, led by the ICTA General Counsel and including the Legal Draftsman's Department, prepared this PDPA. In February 2019, the former Ministry of Digital Infrastructure began the project. The framework for proposed data protection legislation was approved by the Committee and initially made public on June 10, 2019. As a result, there were seven rounds of public stakeholder consultations, starting with a conversation between public and business sector stakeholders on June 27, 2019, with support from the ITC and the European Union.

Over 30 written contributions were received by the drafting committee from the Right to Information Commission as well as other domestic and foreign organizations, multinational enterprises, and individual specialists. The Legal Draftsman's Department revised the bill in many ways between September and October 2019 in response to this criticism.

Stakeholder engagements with commerce and other stakeholders were held by the Ceylon Chamber. In 2020, the Central Bank, TRCSL, and the Ministry of Justice all offered feedback on the draft bill, which led to additional changes being made to it. Over 18 months, the Hon. Attorney General and his staff studied the draft bill and made three observations. As a result, the bill underwent many revisions in 2020–21. An Independent Review Panel, co-chaired by former Supreme Court Justice K. T. Chitrasiri and former University of Colombo vice chancellor and law professor Prof. Savithri Goonesekera, examined the drafting committee's work.

Sri Lanka - The First South-Asian country to enact comprehensive Data Protection legislation

The Personal Data Privacy Act, No. 9 of 2022 (PDPA), was passed by Sri Lanka on March 18, 2022, making it the first nation in South Asia to adopt extensive data privacy laws. India's Personal Data Protection Bill has been up for debate since 2019; in 2022, revisions were suggested, and in 2023, India finally passed a comprehensive data protection law, the Digital Personal Data Protection Act, 2023. In Pakistan, there was also considerable momentum in 2020 for a comprehensive privacy bill, but the parliament has not yet approved the data protection laws, which are now in the draft or bill stage.  The Personal Data Protection Bill, 2023 (referred to as "the Bill") is its name. The data privacy movement in South Asia is representative of global trends as more countries propose comprehensive privacy regulations that strongly draw inspiration from the GDPR.

Personal Data Protection Act.

Definition and Key Terms

The goal of the PDPA is to include Sri Lankan controllers and processors who handle personal data of both citizens and non-citizens for either non-commercial or commercial uses. The regulation is also meant to include controllers and processors based outside of Sri Lanka that deliberately target Sri Lankan data subjects and provide products and services, create profiles, or keep an eye on their activity when it occurs there.

To safeguard particularly sensitive personal data that might potentially harm an individual if it is misused, the PDPA also designates a category of personal data as "special categories of personal data." Special categories of personal data are those that reveal information about an individual's race or ethnicity, political opinions, religious or philosophical beliefs, genetic information, biometric information, information about their health, sexual orientation, or relationship to another person, as well as information about offenses, criminal proceedings, convictions, or information about a child.

The responsible authority for the enforcement of the PDPA in Sri Lanka

The authority responsible for enforcing the PDPA is the Data Protection Authority of Sri Lanka. The PDPA stipulates that data subjects who are unhappy with controller decisions have the option to appeal to the authority. The Data Protection Authority has the authority to look into complaints and, at its discretion, to approve or reject them. If an appeal is granted, the concerned controller must notify the authority and the relevant data subject of the action taken following the authority's judgment.

The authority can demand that someone appear before it, question someone under oath or affirmation, and demand the provision of information on the processing activities of a controller or processor, among other broad investigative authorities.

Committee stage revisions to the bill significantly changed provisions pertaining to the Data Protection Authority in Part V. The statute specifies the three-tier qualifications needed to serve on the board. The President shall choose a minimum of five and a maximum of seven members to the Board, chosen among those who have proven excellence in the following criteria:

The hiring of the Authority's director general and employees, who would be chosen through a competitive process and given tenure as per rules published in the Gazette.

Phases of the PDPA's implementation are planned, with Part V brought into effect on July 21, 2023, after a gazette announcement. This important step made it possible for the government to choose the Data Protection Authority Board of Directors, which consists of seven people with backgrounds in engineering, law, accounting/finance, and regulatory affairs.

The initial Board is composed of the following individuals: Arjuna Herath is the former consulting leader of Ernst & Young in Sri Lanka and the Maldives and a senior chartered accountant who leads the board of directors. Sulakshana Jayawardana, Additional Secretary to the President; Bimsara Seneviratne, ISO Lead Auditor and Technology Management Specialist; Saumya Amarasekera, President's Counsel; Jayantha Fernando, Chair of the PDPA Drafting Committee; and Shehan Wijetilaka, Electronics Engineer and Digital Strategy Specialist, are among the other notable members.

Data Protection Officers

If the controller is a government ministry, department, or public corporation, Section 20(1) requires the mandatory appointment of a data protection officer, or DPO unless the judiciary is acting in its official capacity or the controller's or processor's primary processing activity comprises a prescribed activity.

The core activities of DPO are processing operations that result in a risk to the rights of the data subjects protected by the PDPA, processing particular categories of personal data on a prescribed scale or magnitude, or processing that requires regular and systematic monitoring of data subjects on a prescribed scale or magnitude.

Principles of processing

The PDPA establishes guidelines for the gathering and use of personal data, identical to what the GDPR does. The following principles, which each controller is required to make sure personal data is treated, are

(Source: Sri Lankan Personal Data Protection Legislation – An Overview by Jayantha Fernando and Sanduni Wickramasinghe)

Rights of Data Subjects

Right to be informed : Section 11 of the PDPA requires controllers to give, in writing or electronically, the information mentioned in Schedule V of the PDPA as well as information about any decision made in response to a request made under Part II of the PDPA in a clear, concise, understandable, and readily available manner.

Example:The identity and contact details of the controller and, where applicable, the controller's representative; the contact details of the DPO, etc.

The existence of the right to make a complaint with the Authority, as well as the process for exercising the rights of the data subject as outlined in Part II of the PDPA, etc

Right of access:  According to Section 13 of the PDPA, upon a written request to the controller, the data subject will have the right to access their personal data, as well as a confirmation of whether or not such personal data has been processed and the information listed in Schedule V of the PDPA.  

According to Section 17, if a controller receives a written request, they must notify the data subject in writing within 21 working days of the request's date. This includes telling the data subject whether such request has been granted, whether such request has been refused, and the reasons for it, unless such disclosure is prohibited under any written law, etc.

Right to rectification: Every data subject has the right, under Section 15 of the PDPA, to request that the controller update or correct any incomplete or incorrect personal data. The controller shall, without undue delay, correct or complete the data subject's personal information upon receiving a written request to do so.

Right to erasure:  According to Section 16 of the PDPA, each data subject is entitled to request in writing that their data be deleted under certain conditions and to get a response from the controller within 21 working days of the request date.

Right to object:  Every data subject has the right, at any time, to withdraw their permission if processing is based on it, according to Section 14. However, the right to withdraw consent will not impact the legality of any processing that has already occurred.

Automated individual decision making: Under the PDPA, Section 18, each and every data subject has the right to ask the controller to review decisions made exclusively on the basis of automated processing if such processing has resulted in, or is likely to result in, an irreversible and ongoing impact on the data subject's rights and freedoms as guaranteed by any written law.

Right to appeal to the Authority against certain decisions of the controller: According to Section 19 of the PDPA, a data subject may file an appeal with the Authority in accordance with the format, style, and time frame that may be defined, challenging certain decisions made by the controller listed in the PDPA.

What is ‘Personal Data Breach’ and its Notification?

According to the PDPA, "any act or omission that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored, or otherwise processed" is classified as a "personal data breach." A controller is generally required under the PDPA to inform the authority in the event that there is a breach involving personal data.

Rules created under the PDPA, which are probably going to be published once the authority is founded, will specify the format, timing, and mode of notice. Therefore, the PDPA does not yet specify the threshold for a notifiable breach, the period for making such a notice, or the conditions under which notifying the authority and the data subjects is appropriate.

Cross-border data transmission

Subject to the restrictions outlined in the PDPA, cross-border data transmission and processing in third-party countries outside of Sri Lanka are permitted. A public body functioning as a controller or processor shall only transfer data to a third party designated by an adequacy judgment. The applicable written laws and the enforcement procedures available in the third country shall be taken into consideration by the Minister responsible for the case when making an adequate decision, which may be made after consulting with the Authority.

Subject to an adequacy determination, a controller or processor who is not a public body may also process personal data in a foreign country. If an adequacy decision is not made, personal data may only be transferred to a third country if the controller or processor responsible for the transfer can guarantee that the obligations imposed under Part I, II, and Sections 20 to 25 of the PDPA are met by putting in place the necessary safeguards. To guarantee that the transferee complies with the PDPA's obligations, the transferor affecting such a transfer must adopt an instrument that may be defined by the authority.

Solicited Messages

The PDPA's guiding principles for data protection are applicable to any electronic marketing campaign that uses personal information.

Furthermore, prior to sending any direct marketing communications—which the law designates as "solicited messages"—the controller must have the approval of the data subject. This applies to communications delivered by electronic or other means.

Penalties Under the PDPA

Every time an organization is found to be in violation of a provision of the PDPA, it faces fines of up to 10 million rupees (LKR). Repeat offenders will be required to pay an extra penalty equal to double the amount assessed as a penalty for the second and each consecutive non-compliance, in addition to the penalty for the current non-compliance. The Authority shall collect these fines and deposit them in the Consolidated Fund following the necessary compensation provided to the affected data subjects.

If an organization does not pay the fine within the time range that the authority has set, the authority may take legal action against it in the Colombo Magistrate Court. An additional penalty for the offender is that their business operations in Sri Lanka may be suspended.

Furthermore, within twenty-one working days of receiving notice that an administrative penalty is being imposed under the PDPA, a controller or processor who feels wronged by the decision may file an appeal with the Court of Appeal.

The following are some of the criteria that the authority will take into account before issuing a penalty:


The PDPA is based on a number of international agreements, such as the GDPR, which establishes EU data protection guidelines for the protection of personal data.

The PDPA contains rules pertaining to lawfulness, purpose specification, purpose restriction, data retention, accuracy, confidentiality, and integrity that are comparable to those of the GDPR. 

In contrast to the GDPR, the PDPA specifically mentions responsibility and transparency as distinct concepts.  While the PDPA acknowledges openness as a concept imputed to the controller of analogous duties, the GDPR attributes transparency's significance to the rights of data subjects. Conversely, accountability entails a comprehensive range of responsibilities that include compliance measures and data protection management processes. 

The PDPA has particularly left out the right to data portability since it is primarily a consumer right rather than a data protection right, and because Sri Lanka is still developing and cannot yet execute such technically demanding legal requirements.  While the GDPR regulations prioritize certain rights of data subjects, with the exception of the right to data portability.

While the PDPA adopts a method where public authorities are required to localize personal data unless certain types of data are allowed to be processed outside of Sri Lanka with the joint consent of the data protection authority and the supervisory entity of such public authority, the GDPR does not specifically mandate data localization requirements in its text. Similarities exist between the adequacy decision-making process and the GDPR, whereby the DPA is authorized to recognize nations that meet the PDPA's requirements for acceptable levels of protection for personal data.

The importance of PDPA in Sri Lanka

The government's and the commercial sector's adoption of digital initiatives made personal data protection legislation imperative. The Act is critical because it will improve the management and regulation of personal data, particularly with regard to contact tracing solutions for health authorities to handle COVID-19 effectively and to advance Sri Lanka's digital identification strategy.

When the pandemic struck Sri Lanka in 2020, the availability of information online and the ability to access services through online portals became even more common, boosting government institutions' efficiency. For example, the Immigration and Emigration Department and the Department of Registration of Persons continue to utilize their e-systems after implementing them due to COVID-19 restrictions. They have even delegated data input labor to officials from other departments, digitizing processes.

There are other projects, such as a digitization program for Grama Niladhari Divisions under the e-Grama Niladhari project. The public, however, expressed concerns on social media regarding the copious amount of data that they must provide to the Grama Niladhari for the e-Grama Niladhari (eGN) project. They questioned how a digitization effort could be trusted when the data was being gathered via printed forms. As a solution, the Personal Data Protection Act permits people to hold the government responsible for the collection of personal data. Though legitimate, the public's worries already have statutory backing in the event of a data breach. In addition, they have the option to transmit their complaints to the institution's appointed data protection officer.

On the other hand, the personal data protection legislation stimulates investment in the BPO/BPM and other data processing sectors. Because of this, the government has prioritized this law through the Ministry of Technology in order to guarantee cross-governmental implementation. As a result, the PDPA is considered as one of the strengths that would boost foreign business contracts.

It has also been observed that innovation may flourish in a market that values data privacy, particularly when privacy-enhancing technology, privacy-by-default, and such design principles are used. Trust is a crucial component of the digital sphere, particularly for government and other private/public organizations undergoing digital changes, as the efficacy of these initiatives depends on the trust of the user (data subject). The PDPA's principles of accountability, data quality, openness, and proportionality can support and enhance the trust factor in any society, which can result in more people using digital services and perhaps promote greater innovation.

Why is PDPA awareness important in Sri Lanka?

According to Statista Market Insights,  ITU - International Telecommunication Union,  by 2024, there will be 15.62 million internet users in Sri Lanka, according to projections. In the upcoming years, there will be a rise in the number of internet users. The necessity for data protection and privacy regulations is increasing as a result of the ongoing development of digitalization and the use of the Internet.

The internet and improvements in communication capabilities allow for the daily transmission, storing, and gathering of enormous amounts of data. The Fourth Industrial Revolution (4IR) has brought forth new challenges for data protection and privacy with the advent of Internet of Things (IoT) devices. 

Emerging trends in Sri Lanka, such as the use of data-gathering digital and cloud services, for e-mail and calendar management, social media, and cloud communication services like Google Calendar, Microsoft Outlook/Teams, Zoom, and Slack, are becoming increasingly popular. These systems serve as the main channels for communication, and free applications that offer this service gather a lot of data, which is subsequently used to target advertising. 

Moreover, concerns about privacy arise while using virtual private networks (VPNs). VPNs enable the capture of any data that a device transmits or receives, allowing for the easy and thorough acquisition of personal information.

Furthermore, with the launch of 5G service in 2020, there is an increased demand for PDPA.  Software and associated information and communication technology (ICT) services have emerged as one of Sri Lanka's top exports from the service industry. The General Data Protection Regulation (GDPR) and other international privacy laws may require certain exporters to comply with them, but PDPA will further lessen risks and enhance security.

Importance of PDPA Awareness for Individuals : 

Being careless about data privacy carries risks and concerns, particularly for children who are too involved in technology and are ready to divulge any information about themselves in order to receive instant satisfaction from social media or online gaming. Another group that is adversely affected is the elderly, who are not too digitally savvy and hence are vulnerable to readily giving out personal information. It is the responsibility of educators, parents, guardians, and policymakers to educate ourselves and others about the potential consequences of internet privacy violations and laws and regulations related to personal data protection. A crucial element is to demystify the broader topics of cyber-hygiene and cybersecurity and make them easy to understand for the majority.

Importance of PDPA Awareness for Businesses and Organizations :

For organizations, including government entities, that handle vast amounts of data and require that data for their operations, PDPA knowledge is essential to their operations and survival, starting at the board and operational levels.  It is a bare minimum to have a publicly visible privacy policy compliant with the PDPA similar to following the GDPR example adopted by many European Union companies. Firms must display competence and ability to act based on these data privacy policies. Companies must safeguard client data, in particular if they want to retain the trust of their customers and avoid legal penalties. When customers bring up cybersecurity issues or raise formal complaints, businesses should address them in an organized fashion and take the necessary actions to validate and resolve them. 

Importance of PDPA Awareness for Educational Institutions :

Educational institutions, both the early stage K-12 and the university level, handle a large volume of personal information in the form of student data over time. This contains data including student names, demographic details, addresses, health information, photos, and more. Furthermore, a school database frequently contains data on volunteers, staff, governors, and job candidates. Data security becomes even more vulnerable as the volume of data grows. The PDPA encourages educational institutions to reconsider how they gather and handle data, which will ultimately result in less data being retained.  This is essential to schools since student data must frequently be retained for years after students graduate and because children's personal information has to be protected more. Compliance with PDPA not only gives data subjects more control over what happens to their information, but it also increases the accountability schools have when processing personal data.


  1. Personal Data Protection Act No. 9 of 2022 - The parliament of Sri Lanka
  2. Sri Lankan Personal Data Protection Legislation – An Overview by Jayantha Fernando and Sanduni Wickramasinghe
  3. Data Protection Law by DLA Piper
  4. Overview of Sri Lanka’s Personal Data Protection Act
  5. Article on The Personal Data Protection Act by
  6. Wilmerhale privacy and cybersecurity law
  7. (Mr. Asela Waidyalankara Interview) Questions abound over data collection for the eGN project by Sarah Hannan, The Morning
A Talos Consulting (PVT) LTD initiative
© 2023, Cybersafe. All Rights Reserved.